Live from thesomethingcool.com Studios this is the K-12 Tech Talk podcast. I am Josh with me tonight is Mark, again, this is the second week in a row that there is
no Chris. We have not had reports yet of where he is we are trying to locate him but we are starting without him uh welcome to oh HR is here hang on let's see oh I have a I have they're handing me a letter what is this letter what's that memo what is yeah um dear K-12 Tech Talk podcast Administration uh this is from Sue in HR um apparently there was Sue is the best by the way yeah she's she's lovely she makes the best pound cake um apparently there was an incident at
k-126 and I guess we will talk about that in a little bit um and Chris has been placed on administrative leave for another this is the second week in a row that he was under the administrative leave um so no Chris this week sorry guys we'll get into the rest of this letter in a little bit um but you guys are fresh back from Kate oh not Kate yeah okay tomorrow Josh foreign six I got to talking too fast there um we'll get into all of that in a minute you and Chris got to meet for the
first time uh it's been I don't know it's it's been a crazy week our spring break starts tomorrow no no students or staff uh Thursday Friday Monday Tuesday but us 12 monthers will be there we've got some things to break and some things to patch um if you do have uh a 40 net and let's just get our Fortinet sponsorship covered really quick um for all of your Florida once and Florida needs uh contact Fortinet at Fortinet podcast at fortinet.com that's our buddy Chris illingsworth illingworth
uh the salesman there he will be able to help you point you in the right direction for all your affordable ones and Florida needs they will be at the Midwest Tech talk security Symposium uh that is this Friday the 9th which is probably too late if you're listening to this now um but Fortinet the four to OS released 7.0.10 I believe so if you have a fortigate firewall go ahead and update that bad boy to 7.0.10 I do believe this 7.2 firmware also had an update as well
uh let's see so that's Fortinet our great sponsors they've been with us for a while something I changed this week and Mark you and I talked about this before the show is I tried changing I had a security assessment done last Friday that was a fun um you know type it's like going to the doctor man you know [ __ ] turn your head and cough and we're gonna ask all these questions about your security roles and uh all your policies and stuff and one of the things that I kind of got beat up
on was I still had WPA ssids or WPA2 ssids and they're for my Chromebooks because we don't we don't 802.1x those um and she suggested that we moved to wpa3 so Friday afternoon I broke I broke one of the tenants of I.T of don't change things on Friday at like 3 30 on Friday afternoon I decided I'm gonna try and change this SSID from WPA2 to wpa3 and see what happens um so I changed it and I thought I saw devices connecting and I went home and had a glorious weekend
right Monday more yeah Monday morning at 6 45 in the morning I get a text from the high school principal saying hey I think we got a wireless problem none of my I've got kids here for tutoring and they can't get on their Chromebooks well luckily I was already driving into the office and uh I get in I'm like well I can almost bet what that was so I changed it back to WPA2 real quick and it they all associated long story short next what I did is I spun up a new SSID
and made it wpa3 with a passphrase and everything and the Chromebook Associated to it fine like I typed in my password and it worked fine so there must there must be something with I don't know if it's Aruba uh Wireless I don't know if it's the Chromebook but I think there has to be some sort of negotiation or some sort of cash negotiation that has taken place and changing it from WPA2 to wpa3 freaked it out but if it's a new SSID going straight to wpa3 they seem to
connect fine and even though the Google admin console if you go into uh connections and wireless when you add a new SSID or you configure an SSID it has a drop down for security and it has WPA slash WPA2 but it doesn't say wpa3 it will work with wpa3 that I tested that verified that and pushed it out and it worked with my wpa3 did you keep the SSID the name the network name the same yes the only thing I changed was the authentication type and even the passphrase was the same
um the only thing I changed was from WPA2 to wpa3 and the really weird thing was I had iPads associating and windows devices associating to that SSID but my Chromebooks would not really weird I was gonna I was gonna speculate that maybe the Chromebooks were looking for the old configuration because you had the same ID and password but they're just confused because it's a different setup I don't know man maybe if you tried a whole different name or password would see it as a brand new network and
who could be and I I mean I know that works with a new SSID because I we already proof a concept that I did that Monday afternoon um so now that we're on spring break we might try changing that again and just see what happens what else we can break sure and see so um we also talked a little bit ago we see we did we did pre-work Chris isn't here and we laid out this we did pre-work we had a nice pre-meeting um normally that doesn't happen when Chris is here this goes straight into
what he drank from Sonic yeah it was what was it I don't know nerds or something it was uh what did he say it was a frozen lemonade with added strawberries and added nerds and if they get the Nerds you throw a fit because he gets a whole cup of nerds that he puts in there and that was our big interview too and he starts it off with yeah describing how to get a nerd slot I'm glad he's on leave yeah no Sue from HR has got the right thing going here okay yeah
um so Mark why don't you talk about that Reddit story that we were talking about uh if you want real quick yeah so there was a Reddit thread um that allows uh students to on a manage Chromebook to pop in a quick URL is a quick Chrome URL um I think I'm not I'm the exact URLs uh escaping me right now I've got it it is Chrome colon slash slash net Dash export and as you can imagine with a name like net export it allows somebody on a managed Chromebook to download and
Export quite a lot of information about your network configuration including if you are on WPA2 the password to the wireless well I think what it it's a two-part thing so according to the net the Reddit article they export I think the hash with the net export tool and then you go to this website called nppe Dot glitch.me and it it takes the hash and then converts it and gives you the passphrase right um so yeah first thing I saw this article this morning early and the first
thing I did was go in and and block that Chrome URL that slash slash net export right not it's obviously not a um a very simple thing to do it's going to be you know your more advanced person is going to be able to kind of figure this one out and create the password but as you can imagine a leaked password doesn't take long to spread it only takes one person in your environment to get that leak passer and all of a sudden everybody's got it so yep definitely get that URL blocked we
definitely blocked that as soon as we saw that thread and thank you to the person who posted that one you know there that brought up that did bring up an interesting conversation with my guys I had two one I had two conversations with my guys today that were interesting one of them made me feel really old and in this conversation about what other Chrome URLs we block um and in that Reddit Sub in K-12 sys admin they're one of the comments someone put in a huge litany list of all
the Chrome slash slash URLs that they block we don't go that far and my guys are going to kind of look through there and see which ones are useful to block and which ones really don't matter um but it is interesting there are a ton of those Chrome URLs um like the Chrome about I don't see a reason to block Chrome about because that you can you know you get valuable information out of that um but other other stuff like Chrome kill and and Flags uh there there are
definitely some good Chrome URLs to block so oh the other conversation I had with my guys uh today I had to explain Y2K to them can you believe that what they were born in one of them was born in 99 no 98 98
or 99. so he really doesn't remember Y2K and then the other one probably was born in like 2003 oh no yeah so I had to go I'm feeling old so I was like dude I was out of I was in college working at a hospital and I'd go to the whole story about how to give the hospital the address I was going to be at so that if something happened they could give it to the Sheriff's Department to find me well seriously we had to do that yeah Y2K was real man it wasn't a conspiracy it was
real yeah they were they were like blown they're like you had to tell the sheriff's department where you were going to be because the clocks were gonna hit yeah I didn't have an ankle bracelet at the time so um at the time yeah well it's a joke Mark it's a joke um so let let's see who's going to be suspending me next um after my comment earlier and now that yeah um so let's get let's get to the heart of the article or the heart of the episode episode 109 here uh you and
Chris I I think the headline is here that you and Chris met is the headline at cage Mall six in Austin the great state of Austin Texas or the great state of Texas uh wonderful City of Austin great barbecue um but you were you guys were there for a reason why why were you guys in Austin so we went to the very first K-12 six uh Summit or or conference it was put on by Doug Levin which you're going to hear about in a second uh and it was a a uh Gathering of K-12 professionals mostly I
would say mostly we're we're District folks and and that's a big part of uh of Doug's interview is who's at this conference um but it was the first of its kind where it was a cyber security conference dedicated to K-12 so it was a really cool environment to be you know if you've ever been to a conference and they have all kinds of different topics and you're always like well what's the theme well this one was very clear everybody's here to talk about cyber security and some of the best sessions
I've ever seen uh or or been to or were at this this conference Chris and I were down there representing the podcast and we did a session on uh on ransomware and it was very well attained in standing room only and um and then we got to hang out and talk to some folks uh afterwards and it was a very very quick one I was in and out just for that one presentation uh but definitely worth it and I'm definitely gonna look at this for next year see if I could send some folks for my team
because I think it's really really worth worthwhile effort uh even though it was a long trip down to Texas it was definitely a worthwhile effort so let's I I just have a couple of questions and we'll get into why Chris has been suspended um question number one were any cowboy hats purchased you and I had a bet going were there any cowboy hats purchased yeah and I don't think we ever told Chris about this bet but the whole thing was can we convince Chris to buy a cowboy hat in Texas it did not
work ah unfortunately no and in fact John and here's the thing that Josh doesn't know either so Josh spent me ten dollars uh that I couldn't get Chris to buy a cowboy hat I made a counter bet with Chris that I would give him five dollars if he took a picture with a cowboy hat on and sent it to you therefore we would both profit um off of your ten dollars but that didn't work either um okay so we'll move along uh you met all sorts of people right like um there were several listeners some of
the first text I got from you guys that morning was we've got people here that know us like they know us by name yeah they know who we are they're coming up to us and saying hi and stuff like that so I believe you met Neil from New Hampshire who we're gonna the three of us were gonna go see in New Hampshire in May at the K-12 or at their CTO Clinic um the gentleman that puts your head on a buffalo you got to meet them I got to meet him yeah yeah it was really
exciting that was they were excited to meet you and Chris from what I understand as well yeah right yeah that was fun and then uh were there were there some other people or am I forgetting anybody uh there's a lot of people down there it was really cool to see I think some people had actually traveled to the conference just to to be able to meet us which was a new experience for me as well uh so that was that was a lot of fun but it was it was a really cool really cool event and I
know that we were down there for the podcast but I feel like I uh took it's one of those conferences where you feel you take more out of it than you than you actually give and that's that's definitely a great conference that's that is a sign of a great conference um and we'll just kind of tease something here uh you guys may have struck up a relationship with sizza there were some representatives from scissor there that apparently declined to come on the podcast at the time right
um she didn't they didn't want to come on the podcast they said they couldn't well I think that they got to do it's a federal government here you got to get approvals and stuff you can't just jump on there uh so yeah no we've uh We've uh had at least one meeting so far after that with them so that this could be interesting um so let's get right into it you and Chris took or Chris took the podcast equipment down there on the on the K-12 Tech talk plane the jet um
and you guys interviewed Doug so what that's what the rest of this episode is is an interview with with Mr Doug um what did you guys kind of talk about and and cover in this interview what are people going to hear so yeah as you as you're about to hear we talked a lot about the purpose of k-126 what the uh the organization is set to do and what it's what it has been doing for the last few years and now you have a conference which has been established by the organization uh to
help get people together which is great right it's always nice to have these resources online you kind of have you know virtual connections with folks but to be able to have this kind of tangible conversation is great the other thing I thought was really good about this conference is that it was it was really touted as like a kind of a safe space right and and Doug was very deliberate at the beginning of the conference about saying hey there's no media here this is
not a like big open public event this is supposed to be a safe space for people to come and talk openly share their experiences there are some districts that were sharing their experience of going through cyber attacks and and the the space was set up so that they could feel safe in doing so that they know that they're talking to somebody who is either going to help them or learn from them not exploit any sort of weaknesses or challenges and things like that so it
was really good there were um there were some vendors there as well but there were vendors that were like purpose-built of like I'm here to help K-12 organizations with security I'm not just here to to Market or sell anything I'm actually here to help so it was really good to see uh the wide variety of people that were down there we even met somebody from a bond rating company who you know his company's role is to give bond ratings to different cities um and how you know he's now seen how
important cyber security the K-12 area is and so with the representation from the different vendors from different districts and the federal government folks really kind of elevating this importance of K-12 cyber security it was really great to have this kind of uh Gathering of the minds uh at k-126 you know it's funny you say that about the bond person I received an email from a friend of mine who has been on this show before and he said their district is
floating new bonds they're getting ready to start a construction project project and he had a correspondence from one of the underwriters with the bond company that said I want to see your cyber security plan as part of their due diligence in giving them a bond rating and being able to float these bones so that's uh you had said that last week and I'm like wow that's going to be an interesting Trend and literally a week later I get an email saying that that it's happening yeah so back to Sue's
letter um to the podcast Administration so in this interview with Mr Doug uh yeah Chris kind of he insults Doug's map he calls he calls Doug's map stupid uh so k-126 has a map on their website of all the different um K-12 related cyber attacks so you can see just how big this area is and Doug will talk about that um Chris made some comments I was hoping it wasn't going to get back but I think HR did did here as you're gonna as you're gonna hear what what Chris said
well I mean we're gonna air it so of course I mean HR that's all of this stuff so I mean they heard it I don't I don't think Doug complained um but yeah no it's uh Chris is on so hopefully he's been we think he'll he'll be back next week Sue's letter makes it sound like it's only a weak suspension Mark I know you have to run so why don't you leave and I'm going to hit the rest of our vendors for this or our sponsors for this episode Mark we'll see you next week um if you want to get with us
if you want to shoot as an email K-12 Tech talk at podcast or K12 Tech talk gmail.com and we're on Twitter K12 Tech talk pod uh see you later Mark bye bye uh so our last couple sponsors for this episode visor visor.cloud is a proud sponsor of the K-12 Tech Talk podcast next week we will be interviewing a special guest from visor on the show a customer of visors that knows way more about visor and what they do than what Chris and I and Mark do so visor can help you with your it Asset Management
from Chromebooks to everything else go to visor.cloud K12 Tech talk that's v-i-z-o-r dot Cloud slash K-12 Tech talk and finally almost finally tonight extreme networks I've been an extreme customer for eight years emailed D mayor extremenetworks.com they have industry leading upper right quadrant when the Gartner reports uh both physical and wireless networking that's D mayor m-a-y-e-r at extremnetworks.com and finally provision Data Solutions who has been with us
since day one uh they are proud of the sponsor of K-12 Tech Talk podcast they can help you help your tech department do whatever they want to do whatever they want to accomplish uh they can help you get there catch Chris and Eric Eric the intern at Kosen in a couple of weeks in Austin Texas they will be recording uh and it have some swag available to buy and some other very uh exciting announcements to come a little teaser there it is super exciting you'll want
to hear what they have to say at Kosen and then on May 3rd we will be at the New Hampshire CTO Clinic all three of us it'll be the first time I meet mark it'll be the second time Chris needs Mark all together in one place for the first time ever so if you're in the New Hampshire area or in the East Coast area see if you can come up to New Hampshire CTO Clinic now on to the meat of the episode the interview with Mr Doug Levin all right Mark so we're here at k-126 in
Austin Texas you got to write this time we did our session earlier and I announced that we were in Dallas yep I think I was still tired from the flight here and then try to play it off as a joke it was a joke it was planned uh so we have sitting in the hot seat Doug Levin what's up Doug hey guys how you doing so Doug would you tell us about k-126 I guess the conference but also just the organization as a whole yeah well let's let's start the conference right because this is where we are right so
um this is about a 150 170 person conference dedicated solely and exclusively to cyber security issues in K-12 settings right so um lots of Ed Tech conferences have lots of topics and we're starting to see more and more cyber security tracks where cyber security sessions right um there's some Regional or state events kind of more like one-offs on cyber security but we really felt there was a need for a National Conference focused exclusively on helping folks defend their school systems today
from the threats they're facing and we've got folks here from like 25 different states New Zealand and Canada we've got folks from the federal government it's um you know for me it's kind of like a homecoming kind of because a lot of these folks have gotten to know um online some of which are k126 members but but many are not yeah right but there's people I know from podcasting from social media from webinars yeah right who care about this issue and it's just a chance for us to get together
for a day and a half focused and talk and the other the other thing about this that we tried really hard to do um while you know everybody's gonna have sponsors and and there's no question that we need yeah hell the cyber security solution providers to do what we do yeah um but so many of the cyber security events I've gone um like 75 of the sessions are led by solution providers and that has a place and that's important but it's not creating you know it doesn't lead a
space for us to talk as practitioners too yeah each other and it's just it's a different experience yeah that's what we've tried to do it's also helpful for them to hear what districts are going through right so hear them you know have them see what's going on in the ground what we're dealing with so they can at least take those from the back or those those issues back to their company I think it's really important because there's actually a relatively small
number of cyber security companies that are sort of Education First many of them particularly as they've seen these stories about school districts becoming victims um they're like oh we have cyber Security Solutions education marker must just like any other Market we'll just sell them the same solution in the same way and of course you know if it works for manufacturing it'll work for schools yeah uh no not necessarily yeah and so I think for some of them this is a this is an
education as well about the market so who's the primary audience here is it mostly school districts School District folks are here the the it is primarily folks from uh school districts primarily with titles like CIO CTO executive director of Technology we have some school systems that have sent teams um some cases you know five six people in a variety of roles um but a lot of people are their only person that came uh from the district to the event we do have uh three or four
state Departments of Ed represented we've got some folks from uh Regional Education agencies so like uh BOCES or county offices of Ed or esc's here in Texas um we actually have some folks who are associated with the insurance yeah we would talk to our people yeah yeah so yeah subscribe talk to us about bonding oh well yeah I thought it was like what it was awkward because we kicked butted that session he was wanting to bond with us but you just talk about financial bonds Bond
bond rate yeah Bond ratings yeah as it relates to cyber security it was it was a good conversation actually well look when I mean school districts float a bond to pay for their operations pay for technology Investments and if it turns out like school system may not be able to pay it back because I don't know they're recovering from a major Ranch Library they have an interest in fact you know sort of like the way insurers have driven so much change in K-12 cyber
security in such a short period of time it sounds like the bond rating agencies are about to be wow coming too so uh well I guess we'll learn more about that tomorrow right yeah um when he speaks but um yeah fascinating so we wanted to bring in some folks who were working in like What in in sort of services that are deeply embedded with schools but aren't likely always the likely people that we see at these events yeah right so people that that are that should be here at the
conversation that are really hard to get in superintendents CFOs how do we tap into them in the conversation like here uh you know that's the what uh 800 million or 64 million dollar question if um you know probably like you I've been to conferences of those people and hold sessions and know what comes I mean you know there'll be like four people in a room at the National Sports Association on a cyber security presentation so that is a real that's a real challenge
um talking to you know folks actually with a business office uh background here I don't know if you met Greg ottinger but he was this this Chief business officer of San Diego schools he's like oh you'll never get my peers they think they know it all they don't and so it is a it's a persistent problem but I think what's interesting is that um there's a lot of brainstorming with people here about how to get those people to care and get them around the table and how to talk to them
how to get yourself at that table so um you know we'll figure it out it'll happen sooner or later I think all of us would love it to happen sooner and with fewer things going off the rails but some or things may have to go off the rails I don't know yeah so tell us about some of the sessions that are going on this week so we've got um maybe three or four uh uh school systems that are here giving essentially incident reports right they experienced major ransomware incidents and they're
just telling their story about uh what happened I mean uh you know you all sort of gave a similar sort of session where you sort of synthesized um that information from folks you've recently spoken to about this um and so those are always credibly popular because everybody wants to know the juicy details and really you know I tip my hat to this folks for being brave enough and willing to come and share right everything and it is just helpful to understand uh what could happen and what that
really looks like and maybe how to avoid it um we've got folks who are you know honestly are providing advice about how to how to get your administrators to care and to buy in um we do have a session you know from the bond agency rating site we'll have a policy session delivered by a gentleman from the CDT Center for democracy and Technology who's Tracking not just things like e-rate and you know assert funds which we know about or even like the say local Cemetery grant program that cisa was you
know mentioning just on stage here but um uh but other sort of broader cyber security programs that cut across all of critical infrastructure right so there's a stream of policy around cyber security and how to help organizations of all types and of course all public sector agencies are at risk and so there are some rules and laws coming down the pike that are likely to affect us um may or may not have money attached to them but I guess we're kind of used to that in the sector but um obviously
that creates other challenges but anyway he'll be talking about that so and then we've got a nice presence actually from uh sisa here and I just came off stage with uh Malayan Clark assistsa um and so and they're delivering a session right now talking about all the things that they are offering to schools and are interested in doing more with schools which has been really exciting and in the US Department of Ed as well right um and they're what I would say dipping
their toes more yeah into the subject but hopefully if they get engaged and hopefully you know certainly the work they've done in privacy has been helpful um and I think folks needs support so if they can you know martial resources that be terrific so really all it's you know it's really everything from strategy to Lessons Learned um uh and and I think sort of more practical uh sort of stuff vast majority sessions being delivered by practicing K-12 it yeah yeah it's been great I mean
there's been very very small schools Consortium schools large districts so in terms of the the landscape it's a 150 or so districts from a wide variety of of backgrounds but then to see the sprinkling of CSUN doe and people from other countries it's really incredible and the other countries was unexpected honestly um uh the folks from New Zealand uh Ministry of Education actually I had spoken to before because they're actually doing fascinating work there um what I'll say in the U.S context is
they're kind of work into a state in our system uh than than the federal government is um to us so um they're able to do things that oh like a state could do but it's actually pretty impressive what they're doing as a country in that way and they've been actually very curious and generous in reaching out to folks in other countries to find out what they're doing to sort of beg borrow and steal ideas and kind of vet their ideas so I've gotten to know them that way they
submitted a speaking presentation and I actually wrote them right back I said I'm thrilled that you're interested in presenting at a conference I'd love nothing more for people to hear your perspective and to build some more exchange but you you do know this is in Austin and like you this isn't a virtual conference and we literally could maybe not be physically further away from you yeah like you're looking at like a 24-hour flight you know of air time to get here and they're
like yeah yeah we know like all right you're accepted you're in you're in you're in uh but then you know the school system from Canada it's like can we come like come on down yeah absolutely so who knows you know like in the future who knows me and I'd love to uh have a bigger event um I think you know first time event lots of you know busy conference calendar um you never know who's gonna show it's after kovid right so maybe something happens again uh frankly I was worried
you know even though it's like 86 degrees today Austin you know just a couple weeks ago was shut down literally shut down because of a uh weather cold weather so um that's always a challenge this time of year so you know we tried to build something very intentional and um you know thrilled with the the turnout and you know who knows where we'll be next year but we'd like to be bigger but I don't want to get out over our skis yeah and I want to keep the focus laser sharp right
um not be all things all people this is just about protecting helping to protect like it yeah no this is a really good conference and you compared to some of the mega conferences that you go to this one the content is really really practical to the point there's no kind of pie in the sky I think it's a very very practical sessions yeah I mean well and also like just turning in and talking to people okay one of mostly what I've been doing when I've not been in session
grabbing someone by the hand and then grabbing somebody else by hand saying you two people need to talk you have stuff in common yeah and um that's the thing you know that's what you can do in an in-person conference that you can't right ever right okay so if I am just hearing the word k126 for the first time uh would you unpack what that is what that can do for you that kind of thing yeah so one don't feel bad if you haven't heard of us before because we're frankly relatively new in the space
um I've been in the space for a long time I've been doing edtech stuff um since we were connecting classrooms information Super Highway um I did a little report for Pew internet American Life project called the digital disconnect about student experiences with technology way back in early 2000s I was executive director of Ceta during the Obama year so I've been around this space for a long long time um and really the only organization that has existed with a focus on cyber security has been
Ms isap right and uh terrific organization but of course a broad organization it serves all public um entities of all types the right threat Intel um but the you know the challenge is that it's not always well targeted um are suited to the school environment um and so it's maybe not as actionable as it as it could be and then some of the other broader Ed Tech organizations um I mean they have really broad mandates and the topics they focus on just shift over time they shift with funding
it's interesting to see them now focusing more on cyber security because it's a bigger ish but they weren't uh just a few years ago um and so we felt that there was a need for a non-profit information sharing organization a community organization sort of run like an association um focused exclusively on helping to protect schools from cyber security risk um so we are we don't deal with physical risk um on school school properties right now we don't deal with training the next
generation of cyber security workers not that it's not important work not both swim Lane that we're in we're not in the broader Ed Tech conversation we're really an inch watt we aim to be an inch wide at a mile deep right um and so like MSI said Lee provide um you know threat Intel to uh our members uh we do that you know via email via online portal um we try to be very sensitive about what we push into people's inboxes because we know you get flooded with alerts and then they turn them off and
they don't read them um so the island portal that we use allows people to come and pull stuff um when when they have time to search and things like that um we also brief our members a couple times a month uh one is an education specific briefing and then we actually benefit from relationship with um a larger umbrella organization so we actually do a cross-sector briefing um as well once a month and so you're getting the same threat and tell and getting to interact with
um you know csos who are working in other Industries in very different settings um and those briefings tend to be a little bit more technical uh and a little bit more cross-cutting right so you're trying to pick topics that are likely to affect multiple sectors of course a lot of us from backbones that are a network is a network and a new device is very useless um provide a lot of other turns out but then frankly I think the real difference and the real value hopefully and what we
offer is helping in working with folks in the kitchen Community to collaborate and so we've built a number of uh products with our members for our members and the wire community so things like our list of essential cyber security protections this is a short list of a dozen controls that we believe that every school system should and can Implement now right and it's based on advice from the FBI and system and folks like that it's based on information that we see coming
in on that K-12 cyber incident map yeah right so actual uh uh incidents affecting schools it's based on what insurers are asking for school districts right um and we try to make it just Theory you know built a detailed rubric and just to make it sort of dead simple actionable to understand sort of where I am and where I can go next and then we've aligned that actually now we've aligned that to not only the CIS controls which a lot of people use or the this cyber
security for a framework which a lot of other people use and now also this is the cpgs um uh their uh performance goals for the critical infrastructure sectors so it's easy to use look at our controls and then scaffold up into this more robust Frameworks or vice versa if you've already got a more robust program you can just sort of double check yeah we don't have an ambition to ever replace those uh broader Frameworks or to be a broader framework we're just trying to
scaffold people up into that okay work um we've also built uh incident response uh plan uh template um because as we traveled around and talk to people we ask people do you have a cyber incident response plan and they were like nope nope nope nope nose and then like you know you talk to people about how you do an instant response time white it is overwhelming yeah you know you need to get the superintendent and the chief business officer and the lawyer and PR all around the table and
it's just not just doesn't happen and so the player doesn't get written and then people experience incidents and then they're caught out don't know what to do um and so we built something that the IT department could at least put something together and use until they could do a more formal robust plan right so so we do products um like that and and the need for them come you know bubbles up for the membership um or you know through events like this through the grapevine and we work
together uh to build up and to share so I mean it's you know we give opportunities for folks to share with each other and and that's where a lot of the power is just having a school-based yeah yeah no this is it's great because I've been to a number of Ed Tech conferences and a lot of conversations you know from e-gaming to security to you know hybrid learning those kinds of things but it's AI is coming right yeah yeah I love charity I love chat I love talking about it uh a couple weeks ago
at fetc the the conversation that was just over and over again was AI right it's kind of these like Hot Topic items and I think that's nice about this is we're not going to let cyber security be this hot item that just kind of Falls the Wayside so it needs a dedicated space it's really nice what you guys have done here look I mean isn't I mean just from my work into someone that K-12 cyber incident like this is the issue is not going away right um unfortunately it's likely to continue
to get worse right um but but you're running out of space on the map the little incident map that you have there like I think you've covered everything so there's some blank spots in the midwest but it may be that there are not people living there I don't know which is cool uh Chris or Josh will will help you fill that out okay excellent excellent um yeah I mean that's you know 1 619 incidents that I have that I have added to yeah over over seven you've added me on there um yeah
Mark almost didn't want to come to this because they're not stupid so there's a funny there's a funny story so um one of our presenters I think she's presenting tomorrow Casey sensenich uh Rockingham North Carolina so they had a bad malware incident national news whole thing right pretty big school system and she ended up on the map right and uh she and I I learned this layer because I was talking to her about it and she was really mad at me really mad at me because she was having the
worst two weeks of her life and there was this guy and Doug put her on the map yeah cheers good job Doug about her her misfortune and she's like unbelievable what a jerk and then six months later you know she's kind of through the worst of it survived she's like wow like I'm not the only system that's gotten hit here this is it like maybe my fault maybe there's a bigger story here and start looking and going this happened to people all over like I gotta tell people about this stuff and she's
actually now become like one of the bigger champions of this kind of sharing and I've I've done webinars with her uh before but now she's here uh presenting and it is that and you know and that's the actually one of the reasons that I wanted to launch k-126 but honestly because I was doing the work with the map cataloging things and I thought it was deeply important to have an Evidence base of what was going on I mean it was all right in front of our eyes right we
just hadn't put it together in a way that we could see it and I figured I was coming out of working with Sita and I'm like if I didn't know that nobody I knew knew then maybe nobody really knows so let's just see where this goes um uh you know so it is driven so I it's driven a lot of awareness and that's terrific and it helped inform stuff but I wanted to be able to help help people and so it wasn't completely satisfying just to say oh another pin oh another then oh
another bin that's not oh that's an interesting one that's you know like I want to be able to help right as well and keep people off the map or actually said their more realistic goal is just to um if they when they experience an incident to recover more quickly and more yeah because I uh not ending up on the map is not a a realistic uh goal yeah quite honest yeah I mean if you're a small fish maybe you get away from with it for a long time but I it's an interesting conversation it's not it's
not really if it's it's when I mean everybody everybody here I've talked to has kind of referenced an incident that they had either recently or long ago everybody now is talking about like I'm preparing for when I get hit not preventing me from getting hit so it's you know the conversation cyber security has also pivoted from prevention to recovery a lot and that's really been the last couple years uh where that has picked up it is it's interesting I'm curious from your perspective do you think
it's the insurers that are driving the the changes in the in the sort of the culture and the conversations or do you think we're just as a sector we're just getting sort of more aware and and like we're having better conversations I I mean I think I think insurance is a part of it right the insurance providers are saying I need you to do X Y and Z I think personally my perspective is less about some kind of external Factor more about like everything we're doing in a
district right now is dependent on technology covet helped to show that like a covet also created a lot where now I mean you when you talk about your cyber plan it's a question of if you if your systems are knocked offline it's not it's not can I continue to keep schools open it's how long can I ride with schools closed before I can get back in so I think it's more of a not say it's self-serving but we have to keep the districts open to keep schools open and less about I just got to comply
with insurance yeah I mean well look I mean and this is the I mean in a lot of audiences I've had to explain what I mean by cyber security which I actually didn't do here today because I didn't really feel like I needed to yeah we got that but we got that definition but uh right the CIA confidentiality integrity and availability and you know for so it's such a the sector is so interesting K-12 is so interesting because I just think for so long we just were so obsessed with
student data privacy and you know for good reason but like and everything was seen through that lens yeah that's yeah but student data student data is good they signed the agreement um they're they're a plaid they send the pledge they're good we're good like there's other cyber security issues got yeah that are that are happening that they or may not involved student data by the way right um now of course they're co-occurring and you know it used to be that the
ransomware actors didn't also steal uh the data uh I think as you all noted in your session I I've noted if I didn't know today you have to assume that that's I mean that's that's par par for the course yeah right in fact we're actually starting to see threat actors targeting school districts and they don't even bother to encrypt the files they just steal the files and say we're gonna dump them unless you pay it now we've also seen people by the way who steal files on cryptidata and say
you know we're gonna you know you need to pay us to get your stuff back and you pay once and they send you the decrypter and they say oh by the way you gotta pay us again you have to get the data back and not have us or not back I mean but yeah yeah well we pinky swear we're not gonna release yeah yeah um which oh actually you can take that to the bank so um yeah a challenging um I mean look I call it a wicked problem this warning I think it is a wicked problem um I wish there were easy and good
Solutions frankly if there were I sort of think that other sectors with more money uh than us and doing things like building nuclear bombs and dams would have figured it out but yeah haven't so um it's it's one of those conversations where I feel like in my career there's been all these Trends right there's there was the smart Wars I was good I didn't want to I didn't want to call those bar boards derived of white boards sorry there was that Trend there I remember that there's
the clickers Trend then there was like I mean like the small classroom stuff iPads when the iPads yes right there was a there were tablets not iPads tablets but there was a period where we all had to figure out how to go wrong books can I say Chrome you can say Chrome oh we all had to figure out how to go one to one if we all had to figure out how to implement an LMS and uh and how to go through a transition to an SIS or Erp right there's kind of these phases we
all go through this is one that doesn't feel like it's going to be a phase this isn't trendy it's not a security is not a trend like I think your conference is more popular yeah unfortunately well right and so actually one one interesting conversation that we're not having and I actually turned some people away as participants here but there were folks who were in traditional edtech company right not cyber security solution providers who are our sponsors here uh
but um edtech companies who were in security positions in those companies who are interested in coming uh and I think they have questions about how to better secure their products and what the market was looking for and how to secure their products which is a really interesting conversation I think it needs to happen um I disinvited them into that this is a really important conversation this isn't the right event at the right time at least because it just felt like if we're
trying to build a community of trust that we're not neces we're still building it within K-12 much less you know sort of all of our instructional apps and yep things like that but I mean ultimately we're gonna have need to have that conversation with them too because I have it's it's fascinating because I have conversations with folks um like yourself who get really frustrated with certain products in certain categories I wish they can't do X that is a real problem it's a
you know but that's who we've chosen to use and I'm stuck and so I have this vulnerability that I have to work with yep but then I also talked to solution providers who say we're trying to roll out better Baseline security controls and our customers are yelling at us because they still want to send us spreadsheets with cs you know csvs with Zoom data they won't Implement MFA or what what have you they won't update their systems and so I'm like all right I believe you both but I think there's
also a conversation to be had in the middle here um and we've actually helped the k26 we've actually helped do Outreach on behalf of districts to um vendors to solve help them solve help them be aware and then solve security problems they're creating for schools yeah but the school district Personnel for whatever reason either couldn't get to the right person or felt like or I mean I've heard stories of people who like gotten in trouble um like the sales person of the company
will go around them and complain to the superintendent or something and so they end up getting you know dinged for trying to do the right thing and bring a security issue forward right so I'm like well I don't have a problem you know come to me I won't disclose Who You Are I'll go right to the top yeah and we'll try to get it addressed that way and we've had some success actually so we've sort of help make the users of this product which a lot of people in the
sector use a little bit safer because we were able to get them or incident you know a vulnerability that they fixed after we validated that it was real um you know they fixed that the district couldn't get yeah yeah to that so yeah we need to get that conversation going and and you know certainly you look at issues like illuminate education I don't know if users eliminate caught up in the incident they had last year I mean they have um uh not what I'm not giving them good marks
for their incident um response and their Communications um that's probably generous uh I suspect that those of you who use them are in the same you know same sort of place but that's not helpful for me it's not helpful for anybody well we're uh in our in my district we we do use eliminate we're not caught up in that situation okay it's a different product but to your point though there have been other vendors or refused we're like hey we just saw in the news you had an issue are we
is there is there anything that we need to do here are we good so it's kind of like let's not just assume that no news is good news like we need there needs to be some sort of confirmation so I mean we have unfortunately we have plenty of examples of actually known if he's not being right uh good news uh unfortunately we also have examples of people saying you're all good only six months later to find out that no you were not good well this is a very oh wait uplifting I
know I was like wow that's a downer but no that was yeah no that's a wrong one Oh wrong one [Music] the first time you two have met a person yes this is yeah is this the last this is personally it was going fine until he just hit the soundboard really because I thought the whole Dallas thing it sounded like you were treading on thin eyes already no we got through that it's this one okay that's the one you were looking we met at one um yep he went in for a hug I just I didn't go with I extended a
handshake instead I didn't go out of a rock but that was the first time we had met in person yeah boss yeah are you Huggers no there's a boss I really do what if he was just coming oh you think they're retired so you leaned in like you were falling asleep as you met me that's probably what I just got enough long flights yeah it was Boston people aren't hungry he hasn't been in New England yet he's they're coming to New England in the spring okay oh yeah I heard that they're
weird about that is that is that that trip yeah like he invited us to his cabin yeah it's your cabin it's not really a cabin but but yeah we'll go with that yeah they are worried about it we'll see what happens you have a lot of witnesses now I'm one of them yeah if we get through this we're gonna proceed with New Hampshire and then fiscal Security will be the next conversation we'll be talking about well this is I mean so talk about like conversations that are that are that are like adjacent
but weird like so you've had this conversation about like getting kids especially the cyber security careers and awareness it's been a bunch of work on that there's whole conferences about that like lots of physical security conferences no cyber in nice conversations and all of their stuff they're buying now is smart and I.T I mean you're yeah I mean do you guys even know do you have any input when that stuff is bought or you just like we're plugging the stuff in open up the
firewall we yeah I mean we we are in those conversations right now and it is hard because your leadership is looking at physical versus cyber security and there are times where you want to raise your hand and say like I this may look like the best product for X Y and Z but hey I've got a cyber concern here but in their mind in leadership's mind like I more often than not it's a physical security threat that we need to close off uh and that's where you know it's it's a really hard conversation to
have uh honestly it's I think it's frankly really hard to disentangle that nowadays almost every physical incident you're going to see social media threats or or some some precursor of this stuff building up um yeah all these systems are I IP based right so Dev even setting aside like the Privacy me and ethical concerns which I I don't do lightly right those are those are a big deal on some of those systems too so yeah it's definitely complicated but we it's we we have this weird you know like
focus on student data privacy and physical security and you know I don't know what cyber I mean I don't it's not gonna hold no well because he says speaking of not holding the session doors or opening looks like it so Doug thanks for hanging out with us thanks for having us here at The Confident thanks for coming thanks for coming I really I'm excited to have you guys uh here I've been a big fan of the podcast and uh loved some of those interviews that you've done particularly
around cyber security uh he dropped the LAUSD yeah or when while we're here well that would have been the horde no Chris so I haven't had a chance to listen to that but uh yeah uh I'm looking forward to that oh thank you thank you for some good work and hopefully we get a few more listeners for you it's awesome thank you thank you all right thank you